Research from AppOmni has revealed that thousands of organisations using NetSuite SuiteCommerce are inadvertently putting their sensitive data at risk due to misconfigured access controls in custom record types. This misconfiguration can lead to the creation of a public-facing website where data can be easily accessed by unauthorized individuals. Many affected users are unaware that they are leaking data, including personally identifiable information such as customer addresses and phone numbers.
Despite NetSuite being a leading ERP system, these vulnerabilities are not the result of any known product issues but rather mistakes made during setup. AppOmni aims to educate organisations on SaaS security best practices to prevent such data leaks.
The issue stems from the lack of proper access controls on custom record types, making them vulnerable to malicious API calls. While NetSuite does not currently provide transaction logs to detect unauthorized data access, organisations can refer to AppOmni’s detailed report for guidance on identifying potential attacks and contacting support for further assistance.
To address the problem, organisations must tighten access controls on custom record types, potentially impacting legitimate business operations. This task may be challenging, but it is crucial for safeguarding sensitive data from unauthorized access.
As unauthenticated data exposure through SaaS applications becomes a top threat to enterprises, organisations must be proactive in securing their systems. With the complexity of SaaS applications increasing, the risks associated with misconfigurations are also on the rise. It is essential for security teams and platform administrators to stay vigilant and address vulnerabilities promptly to protect sensitive data from exploitation.